Introduction
CDR (Call Detail Record) and IPDR (Internet Protocol Detail Record) are the most important evidence in cyber crime investigation. These records help in identifying who communicated with whom, when, and from where. This section will explain in detail how to obtain and analyze these records.
After this part, you will be able to understand what CDR is and how to obtain it, analyze CDR fields, perform IPDR analysis, and do tower location mapping to track suspects.
What is CDR?
CDR (Call Detail Record) is a detailed record of all voice calls and SMS generated by a telecom service provider for each subscriber. It contains information about every call - who called whom, when, for how long, and from which tower.
Types of CDR
Voice CDR
Record of all incoming and outgoing voice calls. Contains caller, called number, duration, and tower information.
SMS CDR
Record of sent and received SMS. Contains sender, receiver number, timestamp, and tower information.
Data CDR
Record of mobile data usage. Contains data volume, session duration, and tower information.
Tower Dump
List of all mobile numbers that connected to a specific tower during a time period.
How to Obtain CDR
CDR is obtained from telecom service providers through legal process:
- Section 91 CrPC (BNSS Section 94): Court can issue summons to telecom company
- Section 92 CrPC (BNSS Section 95): For urgent cases, SP or above can requisition
- Direct Request: Many TSPs have nodal officers who handle law enforcement requests
As per DoT guidelines, telecom companies must retain CDR for at least 2 years. IPDR retention period is 1 year. Ensure timely requests as data may be purged after retention period.
Understanding CDR Fields
It is important to understand CDR fields for effective analysis. Different telecom companies may have slightly different formats, but the basic fields remain the same.
Important CDR Fields
Sample CDR Format
CDR Analysis Techniques
Basic Analysis Steps
- Data Cleaning: Remove duplicate entries, fix formatting issues
- Timeline Analysis: Arrange calls chronologically to understand activity pattern
- Contact Analysis: Identify frequent contacts and their relationship
- Location Analysis: Map cell IDs to physical locations
- Pattern Analysis: Identify unusual patterns or anomalies
Key Analysis Points
| Analysis Type | Purpose | Method |
|---|---|---|
| Common Number Analysis | Identify numbers that communicate with both suspects | Cross-reference CDRs of multiple suspects |
| Tower Analysis | Establish location at specific time | Map cell IDs to tower locations |
| Call Pattern | Identify unusual call patterns | Look for bursts of activity, odd hours |
| IMEI Tracking | Track device even if SIM changed | Request CDR by IMEI instead of number |
| Tower Dump Analysis | Identify all phones at crime scene | Request dump from nearest towers |
If a crime occurred at 10:00 PM, request CDR with tower dump of nearby towers for 9:30 PM to 10:30 PM. This will give you a list of all mobile phones that were in the area during that time. Cross-reference with suspect's known numbers.
IPDR Analysis
IPDR (Internet Protocol Detail Record) is a record of internet data sessions. It contains information about when a user connected to the internet, what IP address was assigned, and how much data was used.
IPDR Fields
| Field | Description |
|---|---|
| User ID / MSISDN | Mobile number or subscriber identifier |
| Session Start Time | When the data session started |
| Session End Time | When the data session ended |
| Private IP | IP assigned to the device by the carrier |
| Public IP / NAT IP | IP address visible to external servers |
| Port Number | NAT port used for the session |
| APN | Access Point Name (internet, mms, etc.) |
| Data Volume | Upload and download bytes |
| Cell ID | Tower information during the session |
| IMEI | Device identifier |
IPDR Use Cases
- IP to Subscriber Mapping: Identify who was using a specific IP address at a specific time
- Session Correlation: Link online activities to specific subscriber
- Location Tracking: Cell ID in IPDR helps establish location during internet usage
- Data Usage Patterns: Identify unusual data consumption patterns
Most mobile carriers use CGNAT (Carrier Grade NAT), meaning multiple subscribers may share the same public IP. Always request both IP address AND port number with exact timestamp to identify the correct subscriber.
Tower Location Mapping
Tower location mapping is the process of converting Cell IDs to physical geographic locations. This is crucial for establishing the location of a suspect at a specific time.
Cell ID Format
MNC Codes for Major Indian Operators
| MNC | Operator |
|---|---|
| 10, 72, 88 | Airtel |
| 11, 21, 27, 46, 86 | Vodafone-Idea |
| 56, 66 | BSNL |
| 04, 05, 34, 38, 54 | MTNL |
| 06 | Jio |
Getting Tower Locations
- From TSP: Request tower location data along with CDR
- CellID Databases: Online databases like OpenCellID, CellMapper
- TSP Nodal Officer: Can provide exact coordinates for Cell IDs
- Tower Dump: Includes tower location details
Mapping Tools
- Google Earth: Plot tower locations and create visual maps
- QGIS: Open source GIS software for detailed mapping
- Excel with Maps: Basic mapping using Excel add-ins
- Specialized Software: Cellebrite, UFED Physical Analyzer
A cell tower's coverage area varies:
- Urban areas: 500m to 1km radius
- Suburban areas: 1-3km radius
- Rural areas: Up to 10km radius
Tower data provides approximate location, not exact GPS coordinates.
Practical Investigation Steps
Step-by-Step CDR Investigation
- Identify Target Numbers: Collect all phone numbers related to the case
- Request CDR: Send formal request to TSP with proper legal authorization
- Request Tower Details: Ask for tower location data for all Cell IDs
- Import Data: Load CDR into analysis software (Excel, i2 Analyst, etc.)
- Clean Data: Remove duplicates, standardize formats
- Timeline Analysis: Create chronological timeline of all communications
- Contact Network: Map all contacts and their relationships
- Location Analysis: Plot movements using tower data
- Identify Patterns: Look for unusual patterns or correlations
- Corroborate: Cross-reference with other evidence
- CDR does not prove content of conversation, only that communication occurred
- Tower location is approximate, not exact GPS
- IMEI can be cloned or spoofed in some cases
- Always corroborate CDR evidence with other evidence types
- CDR contains detailed records of all voice calls and SMS with tower information
- IPDR records internet sessions and is crucial for tracing online activities to subscribers
- Key CDR fields include A-party, B-party, timestamp, duration, IMEI, IMSI, and Cell ID
- Tower dump provides list of all devices connected to a tower during specific time
- Cell ID format is MCC-MNC-LAC-CI and helps identify operator and location
- NAT means multiple subscribers may share same IP - always request IP + Port + Timestamp
- CDR retention is 2 years, IPDR retention is 1 year - request data timely
- Tower data provides approximate location, not exact GPS coordinates